They mostly opted for Peer-to-Peer (P2P) communication infrastructures, which made their botnets more difficult to disrupt. Nevertheless, there are ways of doing it, and a group of researchers from the Institute for Internet Security in Germany, VU University of Amsterdam, and tech companies Dell SecureWorks and Crowdstrike has decided to test botnets' resilience to new attacks.
While acknowledging that estimating a P2P botnet’s size is difficult and that there is currently no systematic way to analyze their resilience against takedown attempts, they have nevertheless managed to apply their methods to real-world P2P botnets and come up with quality information.
They used crawling and sensor injection to detect the size of the botnets and discovered two things: that some botnets number over a million of bots, and that sensor injection offers more accurate results.
With their disruption attacks - sinkholing and partitioning - they discovered that, among other things:
- The Sality P2P botnet uses a peer reputation scheme which significantly complicates attacks
- The Zeus P2P botnet uses automatic blacklisting of sinkholing servers that communicate too aggressively
- Several P2P botnets are able to repel initially successful attacks against their P2P layers over the long term through the use of backup C&C channels.
"Our evaluation has shown weaknesses which could be used to disrupt the Kelihos and ZeroAccess botnets. However, we have also shown that the Zeus and Sality botnets are highly resilient to sinkholing attacks, the currently most used class of disruptive attacks against P2P botnets," they concluded. "We believe our findings demonstrate that research on alternative P2P botnet mitigation methods is urgently needed."
The research paper is a great read, and can be downloaded here.